registry  /  vallum  /  0.4.0

vallum@0.4.0

Security boundary between AI coding agents and your shell — redacts secrets, neutralizes prompt injection, sanitizes untrusted terminal output, audits every command.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious behavior in the packaged JavaScript. Residual risk is a postinstall remote binary downloader without bundled source inspection of the fetched binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; vallum CLI execution runs the downloaded binary
Impact
Installs and later executes a package-aligned native CLI binary; no source-confirmed exfiltration or agent control hijack in package files
Mechanism
platform-specific GitHub release artifact download and extraction
Rationale
Static inspection shows a conventional package-aligned native binary installer and CLI wrapper, with no lifecycle mutation of foreign AI-agent surfaces or data theft in the npm source. Because the executable payload is downloaded at install time and not inspectable from these package files, the remaining risk is warning-level rather than a publish block.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-vallum.jsREADME.mdnode_modules/.bin_realtemporary archive under os.tmpdir()
Network endpoints1
github.com/kahramanemir/Vallum/releases/download/v0.4.0

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node ./install.js
  • install.js calls binary.install(false) during npm lifecycle
  • binary-install.js downloads a platform tarball from GitHub releases and extracts it into node_modules/.bin_real
  • run-vallum.js later executes the downloaded package-local binary via spawnSync
  • README documents user-invoked vallum install-hook writing Claude settings, but package lifecycle does not do this
Evidence against
  • No install-time writes to Claude/Codex/Cursor/MCP settings found in packaged JS
  • No credential harvesting or exfiltration logic found; proxy env vars are only used for download proxy support
  • Network endpoint is package-aligned GitHub release URL from package.json
  • No eval/vm/Function or dynamic require/import found
  • README AI/security text is product documentation, not reviewer-directed instruction
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
- It may contain **adversarial text** — log lines, scraped pages, or error messages crafted to hijack the agent ("ignore previous instructions…").
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings